Our remarks • It is worth noting that a link to SmartResponse’s • In this case, the conditions for the use of the partners provided sufficient information about their exception were not met. The information obtained partners within GDPR, Article 13. It has earlier been via questionnaires was not general customer unclear if this was enough to fulfill the obligation to information, as it included detailed personal data inform. such as the data subject’s mobile phone provider, • Regarding the processing and transfer of data TV provider, labor market affiliation, mortgage via questionnaires, SmartResponse relied on credit institution (if any), and electricity supplier. GDPR, Article 6(1)(f) (legitimate interest), and Therefore, the transfer did not comply with the the exception in Section 13(2) of the Danish Data balancing of interest rule. SmartResponse should Protection Act (transfer of general customer data have obtained consent before disclosing this for direct marketing purposes without the data information. Therefore Section 13(2) of the Data subject’s consent). When relying on the exception, Protection Act could not be relied on as the lawful two conditions must be met: basis for processing. ° It must be general (customer) information. • Under GDPR Article 7(1), the controller may retain the information regarding obtained consent ° The transfer must be in accordance with a balancing throughout the processing period for the purpose of interests under GDPR, Article 6(1)(f). of providing evidence, as per the requirements for legal consent. • In contrast, information on the withdrawal of consent may only be kept for a limited period, as there must be a genuine and present interest. This interest may be present for a limited period while it is determined whether a concrete dispute exists or not. The specific length of time for which the data may be kept must be based on a case-by-case basis. The Danish DPA determined that retaining a register of withdrawn consents for five years, in line with the limitation period in section 41(1) of the Data Protection Act is not necessary. Such retention would go against the principle of storage limitation outlined in GDPR, Article 5(1)(e). 103